INTERNAUT

The United States has other kinds of attacks to worry about these days, but ongoing attacks against government Web servers continue to be a top concern.

It's vital for citizens to continue to communicate with their government agencies online. We must not allow such valuable services to be shut down by a bunch of hacker-wannabes with too much time on their hands and little expertise other than how to launch distributed denial-of-service attacks.

In a time of crisis, the situation becomes doubly chaotic. Government should defend itself on a broader scale against these troublesome attacks.

It might mean changing the way IP addresses are assigned to government servers, or creating new rules for the way data is routed through government networks.

Distributed denial-of-service attacks flood a Web server with so many data requests that it can't keep up with legitimate traffic. Such attacks usually come from dozens or hundreds of other servers worldwide that have been taken over and programmed to automatically send thousands of bogus requests. These so-called zombie machines respond to a remote command or at a scheduled time.

The main reason service-denial attacks succeed is that the Internet works hard to deliver any data packet with a viable 'to' address. Someone can spoof the 'from' address in a packet and dump it anywhere on the Net to reach its target.

Such an attack is hard to shut down. It requires hunting upstream to identify the point of origin and go after the perpetrator. I've written about ways to battle worms and flood attacks [GCN, Aug. 13, Page 29 and March 6, 2000, Page 34]. But single-site solutions are more reactive than proactive.

The government has many interconnected networks and Web sites that live in many places, including on contractors' servers. It's nearly impossible to establish a set of rules for how disparate machines should deal with service-denial attempts.

Can that change? It might have to, because government networks definitely need better security. We must take away hackers' ability to spoof packets, at least on government networks.

Here are some ideas for the .gov domain to make things safer.

Establish egress filtering on every federal Web server to prevent it being used to launch zombie attacks on other servers.

Pass legislation requiring U.S. Internet service providers to set up egress filtering, too. This is a controversial step, but the time has come for radical measures.